State of Oregon Office of the State Treasurer 3 rd Party Service Provider Application As documented in Oregon State Treasury s Cash Management Policy 02 18 14.PO, the Office of the State Treasurer (OST) maintains an application process for Service Providers who wish to provide credit/debit card and Automated Clearing House (ACH) transaction storage, processing, and/or transmission services to state agencies and organizations. Current and prospective 3 rd Party Vendors providing these services are directed to complete this form. The purpose of this prequalification process for 3 rd parties providing financial transaction processing services to State of Oregon Agencies is to understand a 3 rd party s conformance with State of Oregon laws and banking requirements, the Payment Card Industry Data Security Standards (PCI DSS), and the National Automated Clearing House Association (NACHA) Operating Rules. Section A. Company Name Service Provider Information Company Address Company Website (Note: if a detailed description of your company is not available on-line, please attach marketing materials) Contact Name (Note: Contact should be person in your organization who can answer questions about your organizations responses to this application.) Contact Title Contact Phone Contact E-mail 1
A.1. Service Provider Business Narrative All Service Providers should prepare a narrative that describes their business, relationship to card and bank account data, and the ways in which that financial data is received from end-customers or third-party businesses. Please provide responses to the following. Explain specifically how your service and/or application will be used by a State organization to process financial transactions. Years in Operation Approximate volume of credit cards and/or ACH transactions processed annually. Name of Merchant Bank/Processor used to process cardholder data and/or ACH transactions. Describe how cardholder data and/or bank account information can be accepted for processing through your solution, e.g., Point of Sale (POS), Integrated Voice Response (IVR), Fax, Website, Mail Order or Telephone Order (MOTO), Mobile, Other. A.2. Payment Flow Diagram All Service Providers should maintain logical diagrams of their payment card and ACH processing environments. These diagrams should illustrate all areas where payment card and/or bank account data is accepted, stored, transmitted, and processed. The diagram that is included in Exhibit A depicts an example of a PCI compliant payment flow diagram for TJ s Pet Supply, a fictional pet supply retailer. Please provide a copy of a Payment Flow Diagram reflecting the flow of cardholder and/or bank account data via your solutions from the time it is key entered by staff or a customer to the time it is settled and deposited to a state organization s bank account. The diagram must clearly reflect the organization or party responsible for maintaining and securing each component of the infrastructure included in the diagram. A.3. Summary of Software/Hardware Information Provide the name of all of the software (include version #) and hardware through which financial transaction data is entered, transmitted, processed and/or stored as listed in the Payment Flow Diagram. 2
Section B. Protection of Customer Information To pre-qualify as a Service Provider for the State of Oregon for processing financial transactions, the organization must show that they comply with the PCI DSS for processing cardholder data, applicable NACHA rules for processing bank account information, and Oregon s Identity Theft Protection Act. B.1. Payment Card Industry Data Security Standards (PCI DSS) Service Provider must be listed on Visa s and/or MasterCard s website as a compliant service provider in good standing for credit/debit card transactions. Please complete the following: Company is a Level Service Provider (Service Provider levels are defined on Visa s website see usa.visa.com) Company is listed as a CISP/PCI Compliant Service Provider on Visa s and/or MasterCard s website under the following name: Certification Date: OR Company has completed a PCI Data Security Assessment validating compliance with PCI Data Security Standards, which is currently under review for inclusion on Visa s and/or MasterCard s website. For verification purposes, please provide the following: Qualified Data Security Company Primary Contact Name Primary Contact Number/e-mail Date Assessment was Completed Please provide the following: A copy of the PCI DSS Attestation of Compliance (AOC) completed and signed by your Qualified Security Assessor (QSA) with your completed application. 3
B.2. NACHA Rules Electronic check processing must comply with NACHA Operating Rules and Security Requirements. OST expects the Service Provider to document in the contract with an agency that the Service Provider will comply with the applicable NACHA Rules and associated security requirements. B.3. Identify Theft Protection Act All financial transactions are subject to Oregon s Consumer Identity Theft Protection Act. OST expects the Service Provider to document in the contract with an agency that the Service Provider understands and describes how they will comply with the Oregon Identify Theft Protection Act. 4
Section C. State of Oregon Requirements C.1. 3 rd Party Vendor Fees OST does not allow any organization to debit State bank accounts by ACH for fees; therefore, to pre-qualify as a 3 rd Party Vendor, you or another organization working on your behalf (e.g. resellers) must agree to invoice the state organization for fees associated with the services you are providing. State organizations have the ability to make payments to your organization electronically by ACH or by check. Checking this box indicates that you or another organization working on your behalf will invoice state organizations for fees associated with the services you provide. List all the parties involved in the fee process and describe how the fees will be collected: C.2. Relationship between Vendor and State Organization If your company is working on behalf of a state organization (collects moneys on behalf of the State organization via an agreement with a State agency), then the funds received by your company are considered public funds as soon as they are settled/received by your company. Processing of public funds must comply with ORS 293.265 and ORS 295, and deposits must be made directly into a State Treasury account. ORS293.265 (1) states in part: It shall be the duty of the officer or other person or agent collecting, receiving, in possession of, or having the control of any state money or other funds, contributions or donations collected or received by, and to be expended by or on behalf of the state under the approval or supervision of any state officer, board, commission, corporation, institution, department or other state organization, recognized by the laws of this state and having the power to collect and disburse state funds, to turn over all such moneys mentioned in this section collected or received by or on account of such sate officer, board, commission, corporation, institution, department or other state organization, to the State Treasurer not later than one business day after collection or receipt thereof. ORS 295.002 provides: that each public official shall deposit public funds in the custody or control of the public official in one or more depositories currently qualified pursuant to ORS 295.001 to 295.108. Department of Justice has advised agencies that moneys over which a state agency has contractual control, even though it does not have custody of the moneys, are public funds. For example, if an agency contracts with a third party to hold, manage or collect moneys on behalf of the agency or an agency directs through its contract how moneys may be used in order to fulfill an obligation of the agency, such moneys are probably public funds. Contracts with third party administrators, grant recipients, escrow agents or persons collecting moneys for a state agency frequently involve public funds issues. If a contract involves public funds that are held and deposited by a third party, the contract should include language that requires the contractor to deposit the moneys in a 5
qualified bank depository as defined in ORS 295.001. The contract should also require the contractor to indentify the funds on the records of the bank as held for the benefit of, or on behalf of, the agency so that the moneys may be collateralized as public funds under ORS 295.015. The purpose of ORS chapter 295 is to provide collateral for public funds deposits in the event of a bank's insolvency. Related Links: http://www.leg.state.or.us/ors/293.html http://www.leg.state.or.us/ors/295.html http://www.ost.state.or.us/divisions/finance/cashmanagement/policy/2 18 14.3rd.Party.Vendor.pdf http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-serviceproviders.pdf http://usa.visa.com/download/merchants/validated_payment_applications.pdf https://www.pcisecuritystandards.org/security_standards/vpa/ Please answer the following: Will your organization be providing services on behalf of a state organization? o Yes or No Note: it is very rare that a Service Provider would actually be working on behalf of an agency s customers rather than on behalf of the agency. If you answered No to the question above, OST recommends that the agency have their attorney review the contract to clarify the relationship between the 3 rd party and the agency to ensure compliance with ORS 293.265 and ORS 295, if applicable. If you answered No to a. above, go to Section D; otherwise, respond to questions in Section C.3 through C.5 indicating how your organization will comply with the state s depository requirements. C.3. Merchant ID Requirements Credit/Debit card transactions must be deposited directly into a state account using a U.S. Bank/Elavon issued Merchant ID when they are settled after end-of-day processing. Will your organization deposit credit/debit card funds directly into a state account using a U.S. Bank/Elavon issued Merchant ID? o Yes or No C.4. ACH Transaction Posting Requirements ACH transactions must be processed using a State of Oregon issued Company ID and Name and must post to State agency and customer/receiver bank accounts on the effective date of the transaction, e.g., the transaction must credit the agency account on the same day that it debits an agency s customer s account. 6
Will your organization use a state- issued Company ID and Name provided to you by the state agency to process ACH transactions on their behalf, and never deposit the funds into your organization s bank account? o Yes or No C.5. Merchant Bank Processor Requirements All credit/debit card transactions processed on behalf of agencies must process through Elavon or TSYS. Please complete the following section indicating if you are certified to process directly with or use a gateway to process through Elavon or TSYS. OR Your company is certified and processes directly with: Elavon (formerly Nova) and/or TSYS (formerly Vital) Your company uses a PCI-compliant payment application/gateway to process through: Elavon (formerly Nova) and/or TSYS (formerly Vital) Please provide a list of the payment applications your service uses to process through Elavon and/or TSYS. Note: the payment application under consideration for use by the State Agency must be included in the payment flow information requested in Section A.2. 7
D. Certification By signing this document you certify that your answers are complete and correct to the best of your knowledge, you have not deceived or attempted to deceive the examiners of this questionnaire, and are confident the answers you provided accurately reflect your corporation's or organization's actual practices, policies, and procedures. X Name: Title: Date: E. Submission and Processing of Prequalification Form 1. If you have any questions regarding this form, please contact the Office of the State Treasurer s Cash Management Policy and Planning Manager at (503) 373-7312. 2. Print this form and complete all sections. If a section does not apply to the service you are providing, mark the section N/A. If required, attach documentation. 3. Mail the completed form and any required documentation to: Office of the State Treasurer Attn: Cash Management Policy and Planning Manager 350Winter Street NE, Suite 100 Salem, OR 97301-3896 4. Please allow 2-4 weeks for processing. 8
Exhibit A: Sample Payment Flow Diagram 9